How should I study for my CISSP and which materials should I use?

How you specifically should study and how long it will take is hard to answer, most students use 3-5 months with around 2 hours a day of studying.

It is hard to answer because we all have different starting points, different knowledge, we learn differently, and 20 other influencers.

I have had students who has done it in a week and others who have taken years.

TL:DR version.

• Start continual reviews, right after you studied a topic, 1 day, 1 week, 1 month.
• Take my "CISSP: How to study" course for the right framework.
• Watch my full CISSP curriculum videos, read the books, rewatch the videos, read the study guides, take/update notes at all states.
• Do Easy/Mid difficulty questions (2-3,000 until 80%+ in all domains, 1-3 months), deconstruct questions, eliminate answer options, pick the MOST right answer, restudy everything you get wrong to fill your knowledge gaps.
• Do Hard questions (1,000 - 1,500, starting at 45-55% is normal and OK, 2-4 weeks). Same process, learn to handle complex questions, review all wrong answers, study until you can explain it.
• Review videos, study guides, and notes before the exam, win, eat cake.

The much longer version.

Do continual reviews:

• Start a cycle of repeated reviews, to ensure you retain the knowledge and not just read it and forget it, do this for all materials, videos, books, study guides, everything, do it for the entire study cycle.
• Do a quick review after each topic, explain it to yourself, write your notes, review it again 24 hours later, explain it to yourself, again in 1 week, and in 1 month.
• Yes, this seems like it takes more time, but it will also get you to your goal sooner, you will forget less and do better on your exam.
• Search for the forgetting curve, for me it works with, right after I finish a topic, 1 day, 1 week, 1 month works but tweak it for what you need.

How to use your actual videos, books, and study guides.

• Take my free "CISSP: How to study" course, it makes sure you have the right study framework , build your own study plan and find your study materials.
• Watch full CISSP curriculum video course, take notes.
• Read your book(s) of choice, covered in the free course, take notes.
• Read the free study guides (Memory Palace, CISSP process guide, Sunflower notes, my study guides from the video course, whatever else you have).
• Review the video course on 1.5-2x for a refresher, review your notes from all sources.
• Start on practice questions Easy/Mid questions first, normally 2-3,000 questions, 1-3 months.

How to use practice questions:

• When approaching practice questions, it is important to take the time to read the entire question carefully, preferably reading it twice. After reading the question, you should deconstruct it to understand what it is really asking. Look for keywords and indicators such as "most," "best," "least," "can," and "always." These will help you identify the main focus of the question.
• To deconstruct the question, boil it down to its essence. Sometimes a question may contain a lot of unnecessary information, so it's important to identify the key elements. Focus on the last few words of the question, as they often hold the crux of what is being asked.
• For example, if the question states that Jane, the lead of the incidents response team, reports a security breach to Raul, the IT security manager, and asks who Fatima should notify first, you can deconstruct the question to: "We have been attacked and compromised. Who do we notify first?"
• Once you have deconstructed the question, carefully review the answer options. Consider each option in relation to the question and determine which one aligns with the deconstructed essence of the question. Eliminate options that do not fit the context or are not the first action to take.
• Remember, practice questions are meant to help you identify knowledge gaps and reinforce your understanding of the concepts. It is important to review all the questions you marked for review and those you answered incorrectly. Restudy the topics related to these questions to strengthen your knowledge and ensure you understand why you got them wrong.
• I normally do not recommended you reuse practice questions because memorizing answers does not help in understanding the concepts. It is better to focus on learning and comprehending the underlying principles.

Which practice questions to use when:

Use Easy/Mid difficulty questions until you consistently hit 80%+ on all domains on multiple test engines, follow the process above, the review/restudy is the MOST important part.

Switch to Hard questions, 1,000-1,500 questions, 2-4 weeks.

• Same process, take a test, review the results, anything you marked for review or you got wrong, restudy it until you are clear on why you got it wrong AND you can explain why.
• Note, on hard questions it is normal to score 45-55 on the first tests, it is normal and it is OK. These are hard questions.
• Where the Easy/Mid questions are meant to find your knowledge gaps, the hard questions are used to get you ready for complex convoluted scenarios, which is what you will see on the exam.
• Hard questions include my Hard questions, the Boson questions, and Luke Ahmed’s SNT questions.
• I have students who never get above 55-60% in my hard questions and still pass the exam. The value is the hard questions is really changing your mindset and learning how to tackle complex questions.

The purpose of each type of materials:

• Books, videos, study guides, Google, GenAI, and study groups are for gaining knowledge.
• Easy/mid questions are for finding the large knowledge gaps.
• Hard questions are for getting the right mindset and learning to logic your way through complex scenarios and deconstructing questions.
• You will need all 3 to pass your CISSP exam.

What is needed and what does not work:

• The CISSP exam question pool is supposedly over 10,000 questions large and growing. This means that no practice test engine will ever “be like the exam”. Do not use braindumps, they are unethical, they devalue the certification, they are illegal, and they do not work for the CISSP.
• You need to understand ALL the concepts, be able to explain them and be able to logic your way through complex convoluted exam questions.
• Do not worry if you spend 3-5 minutes on a question to begin with; just learn to deconstruct the question.

How to deconstruct questions and answers:

• Read the question; spot the keywords (PKI, Integrity, HIPAA) and indicators (FIRST, MOST, BEST), then deconstruct the question; what are they really asking here?
• Once you have deconstructed the question, read the answer options.
• Deconstruct the answer options too, if needed.
• Many questions have 2 distractors and 2 possible right answers.
• In rare cases, there can also be 4 wrong answers (you then pick the LEAST wrong answer) or 4 right answers (you then pick the MOST right answer).
• After each practice test, review all the questions you got wrong and the ones you marked for review, and read the question explanation. Then re-read the book and, re-watch the video, use Google on the topics you answered wrong on the test.

Re-study the topic until you understand WHY the right answer is the right answer, and why you answered it wrong.

This is critical; you need to grow your knowledge, not just grind out practice tests.

The last weeks:

For the last 1-2 weeks, reread the shorter books, re-watch all the videos at 1.5x – 2x speed, revisit all your own notes, this is just to refresh the topics you covered earlier in your studying.

I normally do not recommend studying on exam day, but it can be beneficial to do 5-10 questions right before the test to get in the right mindset just prior to the exam, but do not wear your brain out (read in the parking lot or similar).

Links:

My CISSP course: https://cart.thorteaches.com/cissp/

The FREE "CISSP: How to study" course: https://cart.thorteaches.com/cissp-how-to-study/

I have links for everything else as far as study materials within the free course above.

I hope this has answered some of your CISSP study questions, if you have another question let me know.

Most things related to how, when, what to study is in the free course, but I am always listening to student feedback to improve my courses and articles like this :)

Thank you,

Thor Pedersen

Lead trainer at ThorTeaches.com where we offer on-demand CISSP, CISM, CC, and PMP training.

CISSP, CISM, PMP, CDPSE, 2x CCNP, 3x CCNA, Sec+, CC ... and many more